Splunk® IT Service Intelligence

Install and Upgrade Manual

Acrobat logo Download manual as PDF

Splunk IT Service Intelligence version 4.5.x will no longer be supported as of April 29, 2022. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.
This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure indexes in ITSI

IT Service Intelligence (ITSI) implements custom indexes for event storage. All ITSI indexes are listed in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf.

  • In a single instance deployment, the installation of ITSI creates the indexes in the default path for data storage.
  • In a Splunk Cloud deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud indexes in the Splunk Cloud Admin Manual.
  • In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

ITSI-specific indexes

The following table describes the indexes available in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf:

Index Description
itsi_summary Stores the results of scheduled KPIs searches. Summary indexing lets you run fast searches over large data sets by spreading out the cost of a computationally expensive report over time.
anomaly_detection An internal index used to support trending and cohesive anomaly detection in ITSI.
itsi_tracked_alerts Stores active raw notable event data.
itsi_notable_audit Stores all audit events for episodes, including actions, comments, status change, and owner change.
itsi_notable_archive Stores episode metadata (tags and comments) that has been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance.
itsi_grouped_alerts Stores active episode data.
snmptrapd Stores events coming in from SNMP traps. For more information, see Ingest SNMP traps into ITSI.
Last modified on 29 April, 2021
Install IT Service Intelligence in a search head cluster environment
Configure multiple ITSI deployments to use the same indexing layer

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters